Subscriber Discussion

How Do You Develop An IP Address Scheme?

U
Undisclosed #1
Jun 14, 2018

When building out a surveillance/security network, how do you choose IP address scheme?

Specifically, how do you decide which devices occupy which range, e.g.:

  • Default gateway: 172.16.20.1
  • Servers: 172.16.21.1-5
  • Switches: 172.16.21.30-35
  • Cameras: 172.16.22.1-?
  • Access control: 172.16.30.1-?

And so on. We have planned smaller Class C networks in the past and ended up running out of addresses in specific ranges when we added more cameras, servers, and switches than expected, and needing to change subnet masks later. So we are moving to a Class B network now and want to organize properly from the start.

U
Undisclosed #1
Jun 14, 2018

Note: this isn't a question about the difference between class A/B/C or how to subnet, it is purely regarding organization and documentation for future proofing the scheme.

U
Undisclosed
Jun 14, 2018

First of all you're supposed to be doing this in IPv6 not IPv4.   There, you've had your IPv4 safety scolding. Secondly you're supposed to be using DNS, like the rest of the network world has for the last 20 years.  So this should be about naming conventions not addresses.  There, you've had your hard-coded-addresses safety scolding.  Now to your question.

If you've got more than a class c worth of gear you probably shouldn't have it all on one subnet, just for practicality reasons.  I agree grouping devices together can be helpful.  You should have some sort of expansion scheme built into your whole architecture.  So e.g. save off addresses for more cameras.  But note that you're not likely to add another 1000 cameras to that one VMS the first 17 were connected to.  So you should look at the big picture and maybe do one vms plus cameras each on their own subnet.

Lastly of course never ever ever do this in a vacuum because that's a good way to get in trouble with the local IT folks.  Using a legitimate private address range like 172.16.20.0/24 is fine, as long as you've made some sort of effort to confirm you're not using the same subnet range as oh say the HVAC system, or the phone network.

And no it is very not cool to be caught assigning IP addresses over a blueprint at the back of the foreman's pickup truck on the job site.  If you're not running off a spreadsheet that's under document control you're probably doing it wrong.

(3)
(4)
(3)
Avatar
Ethan Ace
Jun 15, 2018
In reply to Undisclosed

LOL @ IPv6. One day, I plan to get myself ramped up and using v6. That day has been "in the next few years" every year since about 1999. 

I've always thought it would be nice to use DNS, but no other engineer I've worked with had the same idea. 

I personally think that overkill in this case is a great idea. We've all had networks expand faster and further than ever planned for, so allocating 500 addresses for security devices when you probably won't ever exceed 200 is perfectly fine.

(2)
U
Undisclosed #3
Jun 16, 2018
IPVMU Certified
In reply to Undisclosed

First of all you're supposed to be doing this in IPv6 not IPv4...

Secondly you're supposed to be using DNS...

Why not kill two birds with one stone?  

Use IPv6 as your DNS!  

With 64 bits of user address space you can encode 9 chars of ascii.  

That’s one more character than the base file name limit in early MS-DOS that Bill Gates thought was sufficient.  And he was a genius ;)

 

 

 

(1)
Avatar
Jon Dillabaugh
Jun 16, 2018
Pro Focus LLC

Why not Class C with VLANS?

U
Undisclosed
Jun 17, 2018
In reply to Jon Dillabaugh

A Class C (/24, 254 usable addresses, in case y'all don't live and breath CIDR blocks) is fine if you feel it fits your expansion planning.  A VLAN can be useful except:

  vlans can be attacked

  vlans don't isolate the data (they isolate one vlan's view of another vlan)

so as long as you don't walk around claiming VLAN's are the security solution then yes a VLAN can be useful.  And configure them carefully.  Do NOT check your brains at the door and take all the Cisco switch defaults.

(1)
U
Undisclosed #3
Jun 17, 2018
IPVMU Certified
In reply to Undisclosed

vlans can be attacked

vlans don't isolate the data (they isolate one vlan's view of another vlan)

There are many ways to configure VLANS.  One of the more common ways in video surveillance is shown below:

In this case, the data is segregated by the VLAN capable switch on the physical media.  To see the unauthorized data on one VLAN from another would require the switch be hacked.  If your switch can has been hacked, you likely have bigger problems.

Avatar
Jon Dillabaugh
Jun 17, 2018
Pro Focus LLC
In reply to Undisclosed

Rodney, your understanding of VLANs is very basic. VLANs are very capable of segmenting network traffic and being as secure as airgapped networks, if properly implemented.

(1)
U
Undisclosed #2
Jun 16, 2018

IP schema is relative to growth.

Complexity is fragile, if you can repeat simplistic configurations without extreme custom configurations the deployment you seek remains the same.

Private network vs. Public.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions